♻️ Refactored code to support cryptomator-cli v0.6.X

greycubesgav · greycubesgav · commit 4bcaf2ee4113 · 2025-04-23T20:36:40.000+03:00
diff --git a/.dockerignore b/.dockerignore
@@ -1,28 +1,8 @@
-**/.classpath
+
 **/.dockerignore
 **/.env
 **/.git
 **/.gitignore
-**/.project
-**/.settings
-**/.toolstarget
-**/.vs
 **/.vscode
-**/*.*proj.user
-**/*.dbmdl
-**/*.jfm
-**/bin
-**/charts
-**/docker-compose*
-**/compose*
-**/Dockerfile*
-**/node_modules
-**/npm-debug.log
-**/obj
-**/secrets.dev.yaml
-**/values.dev.yaml
-LICENSE
-README.md
 # Project specific
-.env
 vault.pass
diff --git a/Dockerfile b/Dockerfile
@@ -1,21 +1,25 @@
 #------------------------------------------------------------------------------------------
 # Stage 1: Build container
 #------------------------------------------------------------------------------------------
-FROM alpine:3.18.2 as builder
+FROM debian:sid-20250407-slim AS builder
 
 # Install ssl dependencies
-RUN apk --no-cache add openssl
+RUN apt-get update && apt-get install --no-install-recommends -y openssl unzip && rm -rf /var/lib/apt/lists/*
 
 # Create a new selfsigned certificate
 COPY config/pem.conf /root/pem.conf
 RUN openssl req -newkey rsa:2048 -nodes -keyout /root/stunnel.pem -x509 -days 3650 -out /root/stunnel.pem -config /root/pem.conf
 
+# Copy over cryptomator-cli package and unzip
+COPY packages/cryptomator-cli-latest-linux-x64.zip /opt/cryptomator-cli.zip
+RUN unzip -o /opt/cryptomator-cli.zip -d /opt/cryptomator/ && rm -f /opt/cryptomator-cli.zip
+
 #------------------------------------------------------------------------------------------
 # Stage 2: Final container
 #------------------------------------------------------------------------------------------
-FROM alpine:3.18.2
+FROM debian:sid-20250407-slim
 
-RUN apk --no-cache add stunnel openjdk17-jre-headless setpriv shadow
+RUN apt-get update && apt-get install --no-install-recommends -y stunnel curl netcat-openbsd && rm -rf /var/lib/apt/lists/*
 
 # Set temporary UID and GID's to create the initial user and group
 # Use the 'standard' linux starting UID and GID for interactive users
@@ -32,9 +36,7 @@ RUN groupadd -g "${CRYPTOMATOR_TMP_GID}" cryptomator && useradd --no-log-init -u
 # Copy over the stunnel config and self signed cert
 COPY --chown=cryptomator:cryptomator --chmod=0440 config/stunnel.conf /etc/stunnel/stunnel.conf
 COPY --from=builder --chown=cryptomator:cryptomator --chmod=0440 /root/stunnel.pem /etc/stunnel/stunnel.pem
-
-# Copy over the latest cryptomator-cli.jar file
-COPY --chown=cryptomator:cryptomator --chmod=0444 packages/cryptomator-cli-latest.jar /usr/local/bin/cryptomator-cli.jar
+COPY --from=builder --chown=cryptomator:cryptomator /opt/cryptomator/ /opt/
 
 # Copy over the init scripts last (to speed up dev rebuilds when these change)
 COPY --chown=root:root --chmod=0555 scripts/init.sh /init.sh
diff --git a/Makefile b/Makefile
@@ -35,11 +35,26 @@ openssl-remote-connect:
 openssl-remote-client-cert:
 	openssl s_client -cert config/stunnel.pem -connect 127.0.0.1:18081
 
+run-dev-env:
+	docker-compose run cryptomator-webdav-env
+
 run-dev-build:
-	docker-compose run --service-ports cryptomator-webdav-dev
+	docker-compose run --rm --remove-orphans --service-ports  cryptomator-webdav-dev
+
+run-dev-build-passfile:
+	docker-compose run  --rm --remove-orphans --service-ports cryptomator-webdav-passfile-dev
 
 up-cryptomator-webdav:
 	docker-compose up cryptomator-webdav
 
 build-cryptomator-webdav:
-	docker-compose build cryptomator-webdav
+	docker-compose build cryptomator-webdav
+
+test-cryptomator-webdav-http:
+	curl -X PROPFIND http://127.0.0.1:8080/vault/ -H "Depth: 1"
+
+test-cryptomator-webdav-https:
+	curl -k -X PROPFIND https://127.0.0.1:8443/vault/ -H "Depth: 1"
+
+test-cryptomator-webdav-https-host:
+	curl -k -X PROPFIND https://127.0.0.1:18081/vault/ -H "Depth: 1"
diff --git a/Readme.md b/Readme.md
@@ -1,14 +1,13 @@
 # Cryptomator-webdav
+
 This repo contains a set of docker files to create a docker image to run the [Cryptomator cli](https://github.com/cryptomator/cli) within Docker.
 The Cryptomator-cli application shares a local Cryptmator vault over an TLS protected webdav share.
 
 :warning: The webdav server contained within the Cryptomator-cli application provides **no username or password** access controls. Take your own appropriate security precautions.
 
 :warning: As of June 2023, Cryptomator states the cli application is still in an early stage and not ready for production use. We recommend using it only for testing and evaluation purposes.
 
-<p align="center">
-  <img src="images/cryptomator-finder-example.png" alt="Cryptomator Finder Example">
-</p>
+![Cryptomator Finder Example](images/cryptomator-finder-example.png)
 
 ## Usage Instructions
 
@@ -23,17 +22,24 @@ cp sample.env .env
 docker-compose up cryptomator-webdav
 # The vault will be accessible on the docker host machine on the port specified in the .env file
 ```
-By default the cryptomator vault will be available over webdav at `webdavs://127.0.0.1:18081/vault`, using a self-signed certificate, with no username or password on the webdav share.
+
+By default the cryptomator vault will be available over webdav at the following url, using a self-signed certificate, with no username or password on the webdav share.
+
+```bash
+webdavs://127.0.0.1:18081/vault
+```
 
 If you wish to be able to access the vault over the the docker host's external IPs, update CRYPTOMATOR_HOST in `.env` to either 0.0.0.0 (all ips), or a specific docker host IP.
 
-#### File Permissions
+### File Permissions
 
 This docker image is setup to drop privileges to a userID and groupID specified in the Environment Variables. This is to aid running under appliance style OS's such as Unraid, where all containers are run as root by default. Dropping privileges within the container ensures Cryptomator only has access to the userID and groupID specified in the CRYPTOMATOR_UID and CRYPTOMATOR_GID environment variables.
 
-**Ensure that your local Cryptomator vault files are read and writable by the user selected.**
+**Ensure that your local Cryptomator vault files are read and writable by the userID  selected.**
+
+#### Permissions Update
 
-##### Permissions Update
+Run the following commands across your local cryptomator vault files to update them for the the default User and Group IDs.
 
 ```console
 # Change all files to be owned by userID/groupID 1000
@@ -74,6 +80,7 @@ CRYPTOMATOR_UMASK=0077
 ```
 
 ### Using a signed cert
+
 If you have a trusted certificate you with to use for the TLS layer, you can bind mount it over the top of the self signed cert within the image.
 
 Add the following line under the Volumes entry within the docker-compose.yml file:
@@ -99,26 +106,36 @@ docker-compose build cryptomator-webdav
 ```
 
 ## Upgrade version of internal cryptomator-cli instructions
+
 To upgrade to a newer version of cryptomator-cli within the docker image:
 
-* Download the new .jar from the [cryptomator-cli releases page](https://github.com/cryptomator/cli/releases)
-* Update the `packages/cryptomator-cli-latest.jar` symlink to point the new jar version
-```bash
-ln -sf cryptomator-cli-0.5.1.jar packages/cryptomator-cli-latest.jar
-```
+* Download and unzip the new release package from the [cryptomator-cli releases page](https://github.com/cryptomator/cli/releases)
 * Rebuild the docker image
+
 ```bash
-docker-compose build cryptomator-webdav
+wget -P packages 'https://github.com/cryptomator/cli/releases/download/0.6.2/cryptomator-cli-0.6.2-linux-x64.zip'
+ln -s -f cryptomator-cli-0.6.2-linux-x64.zip packages/cryptomator-cli-latest-linux-x64.zip
+make build-cryptomator-webdav
 ```
 
 ## Debugging
 
-### Cryptomator Environment Variables
-To check what environment variables are getting set in the container:
-* Run `docker-compose run cryptomator-webdav-env`
+### To check what environment variables are getting set in the container
+
+```bash
+make run-dev-env
+```
+
+### To run the docker container using an environment variable password, connect to a local shell and manually run the entrypoint script
 
-### To run the docker container using an environment variable password and connect to a local shell
-* Run `docker-compose run --service-ports cryptomator-webdav-dev`
+```bash
+make run-dev-build
+/entrypoint.sh
+```
+
+### To run the docker container using an password file, connect to a local shell and manually run the entrypoint script
 
-### To run the docker container using an password file and connect to a local shell
-* Run `docker-compose run --service-ports cryptomator-webdav-passfile-dev`
+```bash
+make run-dev-build-passfile
+/entrypoint.sh
+```
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,11 +1,11 @@
-version: '3'
 services:
   cryptomator-webdav: &base
     build:
       context: .
       dockerfile: Dockerfile
     image: greycubesgav/cryptomator-webdav
     container_name: cryptomator-webdav
+    platform: linux/amd64
     env_file:
       - .env
     ports:
@@ -35,7 +35,7 @@ services:
       - './scripts/entrypoint.sh:/entrypoint.sh:ro'
       - './scripts/init.sh:/init.sh:ro'
       - './config/stunnel.conf:/etc/stunnel/stunnel.conf:ro'
-    entrypoint: /usr/bin/env sh
+    entrypoint: /usr/bin/env bash
   cryptomator-webdav-passfile-dev:
     # Adds passfile mount to dev container
     <<: *dev
diff --git a/packages/cryptomator-cli-0.5.1.jar b/packages/cryptomator-cli-0.5.1.jar
diff --git a/packages/cryptomator-cli-0.6.0.2.6.9-SNAPSHOT.jar b/packages/cryptomator-cli-0.6.0.2.6.9-SNAPSHOT.jar
diff --git a/packages/cryptomator-cli-0.6.2-linux-x64.zip b/packages/cryptomator-cli-0.6.2-linux-x64.zip
diff --git a/packages/cryptomator-cli-latest-linux-x64.zip b/packages/cryptomator-cli-latest-linux-x64.zip
@@ -0,0 +1 @@
+cryptomator-cli-0.6.2-linux-x64.zip
diff --git a/packages/cryptomator-cli-latest.jar b/packages/cryptomator-cli-latest.jar
diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
@@ -1,18 +1,6 @@
 #!/usr/bin/env sh
-##!/usr/bin/env bash
 # shellcheck disable=SC1072,SC2120,SC2059
 
-sleep_with_dots() {
-  msg="$1"
-  seconds="$2"
-  i=1
-  while [ "$i" -le "$seconds" ]; do
-    sleep 1
-    echo "${msg}${i}/${seconds}"
-    i=$((i + 1))
-  done
-}
-
 # Define steps to clean up container parts when exiting
 cleanup() {
   echo "Received signal: $1"
@@ -82,41 +70,55 @@ fi
 CRYPTOMATOR_LISTEN_IP='127.0.0.1'
 CRYPTOMATOR_LISTEN_PORT='8080'
 CRYPTOMATOR_INTERNAL_MAX_WAIT_TIME=5
-CRYPTOMATOR_INTERNAL_STARTUP_TIME=5
 
 # Start cryptomator-cli listening on localhost
 echo "Starting cryptomator-cli in background, will share on: webdav://${CRYPTOMATOR_LISTEN_IP}:${CRYPTOMATOR_LISTEN_PORT}/vault/"
 
 # Note: Currenly hardcoded path for alpine java location
-/usr/bin/java -XX:-UsePerfData -jar '/usr/local/bin/cryptomator-cli.jar' --bind="${CRYPTOMATOR_LISTEN_IP}" --port="${CRYPTOMATOR_LISTEN_PORT}" \
-    --vault "vault=/vault"  \
-    --passwordfile "vault=${CRYPTOMATOR_INTERNAL_PASSFILE_LOC}" &
+
+if [ "$CRYPTOMATOR_DEBUG" -eq 1 ]; then
+    printf "cryptomator-cli command: /opt/cryptomator-cli/bin/cryptomator-cli unlock \
+  --mounter=org.cryptomator.frontend.webdav.mount.FallbackMounter \
+  --volumeId='vault' \
+  --loopbackPort=\"${CRYPTOMATOR_LISTEN_PORT}\" \
+  --password:file=\"${CRYPTOMATOR_INTERNAL_PASSFILE_LOC}\" \
+  /vault &"
+fi
+
+/opt/cryptomator-cli/bin/cryptomator-cli unlock \
+  --mounter=org.cryptomator.frontend.webdav.mount.FallbackMounter \
+  --volumeId='vault' \
+  --loopbackPort="${CRYPTOMATOR_LISTEN_PORT}" \
+  --password:file="${CRYPTOMATOR_INTERNAL_PASSFILE_LOC}" \
+  /vault &
+
 CRYPTOMATOR_PID=$!
 echo "cryptomator-cli PID: ${CRYPTOMATOR_PID}"
 
-echo "Waiting for cryptomator-cli to begin..."
-
 start_time=$(date +%s)
 elapsed_time=$(($(date +%s) - start_time))
-max_time="$CRYPTOMATOR_INTERNAL_MAX_WAIT_TIME"
+#max_time="$CRYPTOMATOR_INTERNAL_MAX_WAIT_TIME"
 cryptomator_port_ready=0
+cryptomator_vault_ready=0
 
-while [ $((elapsed_time <= max_time)) -eq 1 ]; do
-    nc -n -z -w 1 "$CRYPTOMATOR_LISTEN_IP" "$CRYPTOMATOR_LISTEN_PORT"
+echo -n "Waiting for cryptomator-cli to begin..."
+# Keep checking if the port is available until the maximum wait time is reached
+while [ $((elapsed_time <= CRYPTOMATOR_INTERNAL_MAX_WAIT_TIME)) -eq 1 ] && [ $cryptomator_port_ready -eq 0 ]; do
+    nc -n -z -w 1 "$CRYPTOMATOR_LISTEN_IP" "$CRYPTOMATOR_LISTEN_PORT"  >/dev/null 2>&1
     ret=$?
-
+    echo -n "."
     if [ $ret -eq 0 ]; then
-        echo "Cryptomator-cli port is now available."
+        echo
+        echo "Cryptomator-cli port is now available on ${CRYPTOMATOR_LISTEN_IP}:${CRYPTOMATOR_LISTEN_PORT}"
         cryptomator_port_ready=1
-        sleep_with_dots "Waiting for cryptomator-cli to setup share " "$CRYPTOMATOR_INTERNAL_STARTUP_TIME"
-        nc -v -n -z -w 1 "$CRYPTOMATOR_LISTEN_IP" "$CRYPTOMATOR_LISTEN_PORT"
         break
     fi
     # Sleep for a brief period before retrying
     sleep 0.1
     elapsed_time=$(($(date +%s) - start_time))
 done
 
+# Whether we succeeded or not we remove the temporary pass file ASAP
 # If we were not given a CRYPTOMATOR_VAULT_PASSFILE clean up our temporary file
 if [ "$CRYPTOMATOR_PASSFILE" = 0 ]; then
     echo "Removing temporary pass file ${CRYPTOMATOR_INTERNAL_PASSFILE_LOC}"
@@ -132,9 +134,40 @@ if [ "$cryptomator_port_ready" -ne 1 ]; then
         echo "Killing...." >&2
         kill $CRYPTOMATOR_PID
     fi
+    echo "Exiting entrypoint.sh!" >&2
     exit 1
 fi
 
+echo -n "Waiting for cryptomator-cli to share the vault..."
+# Keep checking if the share is available until the maximum wait time is reached
+while [ $((elapsed_time <= CRYPTOMATOR_INTERNAL_MAX_WAIT_TIME)) -eq 1 ] && [ $cryptomator_vault_ready -eq 0 ]; do
+    curl --silent --fail --show-error --max-time 1 "http://${CRYPTOMATOR_LISTEN_IP}:${CRYPTOMATOR_LISTEN_PORT}/vault/"  >/dev/null 2>&1
+    ret=$?
+    echo -n "."
+    if [ $ret -eq 0 ]; then
+        echo
+        echo "Cryptomator-cli share is now available."
+        cryptomator_vault_ready=1
+        break
+    fi
+    # Sleep for a brief period before retrying
+    sleep 0.1
+    elapsed_time=$(($(date +%s) - start_time))
+done
+
+# If we have not managed to connect to cryptomator-cli in the allotted time, exit
+if [ "$cryptomator_vault_ready" -ne 1 ]; then
+    echo "Error: cryptomator-cli vault could not be reached after $CRYPTOMATOR_INTERNAL_MAX_WAIT_TIME seconds." >&2
+    echo "Ensuring cryptomator process is not still running in the background.."
+    if [ -f "/proc/${CRYPTOMATOR_PID}/stat" ]; then
+        echo "Error: Cryptomator-cli still running in the background. PID: $CRYPTOMATOR_PID" >&2
+        echo "Killing...." >&2
+        kill $CRYPTOMATOR_PID
+    fi
+    echo "Exiting entrypoint.sh" >&2
+    exit 2
+fi
+
 echo '#-------------------------------------------------------'
 
 # Start stunnel to wrap the cryptomator-cli webdav in a TLS tunnel and export on container lan ip
diff --git a/scripts/init.sh b/scripts/init.sh
@@ -3,7 +3,7 @@
 
 cleanup() {
   echo "Received signal: $1"
-  if [ -n "$CRYPTOMATOR_ENTRYPOINT_PID" ]; then
+  if [ -n "$CRYPTOMATOR_ENTRYPOINT_PID" ] && [ -f "/proc/${CRYPTOMATOR_ENTRYPOINT_PID}/stat" ]; then
     echo "Cleaning up entrypoint.sh (PID: $CRYPTOMATOR_ENTRYPOINT_PID)"
     kill -s TERM "$CRYPTOMATOR_ENTRYPOINT_PID"
   fi
@@ -39,7 +39,7 @@ if [ -n "${CRYPTOMATOR_UID}" ]; then
     printf "${C_GREEN}#${C_MAGENTA} Updating user ${CRYPTOMATOR_USER} UID to match env supplied UID (${C_GREEN}${CRYPTOMATOR_UID}${C_MAGENTA})...${C_NC}\n"
     usermod --uid "${CRYPTOMATOR_UID}" "${CRYPTOMATOR_USER}" | grep -v 'usermod: no changes'
     printf "${C_GREEN}#${C_MAGENTA} Changing ownership of stunnel config so ${C_GREEN}${CRYPTOMATOR_UID}${C_MAGENTA} can read (${C_GREEN}/etc/stunnel${C_MAGENTA})...${C_NC}\n"
-    chown -R "${CRYPTOMATOR_UID}:" /etc/stunnel
+    chown -R "${CRYPTOMATOR_UID}" /etc/stunnel
 else
     printf "${C_GREEN}#${C_RED} No CRYPTOMATOR_UID supplied, required to drop privileges, exiting...${C_NC}\n"
     exit 11
